Flawed: The new ID card design, with the same data we were able to forge
New ID cards are supposed to be ‘unforgeable’ – but it took our expert 12 minutes to clone one, and programme it with false data
By Steve Boggan
Adam Laurie is no ordinary hacker. In the world of computing, he is considered a genius – a man whose talents are used by government departments and blue-chip companies to guard against terrorists and cyber-criminals.
But even by his standards, what he is about to demonstrate is mind-boggling – and deeply disturbing.
Laurie is holding one of 51,000 ID cards issued by the Home Office to foreign nationals currently working or studying in Britain.
It is similar to the ID card for British citizens unveiled last week by Alan Johnson, the Home Secretary, as part of the Government’s ongoing National Identity Scheme.
Embedded inside the card for foreigners is a microchip with the details of its bearer held in electronic form: name, date of birth, physical characteristics, fingerprints and so on, together with other information such as immigration status and whether the holder is entitled to State benefits.
Related
National ID cards could trade privacy for security
This chip is the vital security measure that, so the Government believes, will make identity cards ‘unforgeable’.
But as I watch, Laurie picks up a mobile phone and, using just the handset and a laptop computer, electronically copies the ID card microchip and all its information in a matter of minutes.
He then creates a cloned card, and with a little help from another technology expert, he changes all the information the card contains – the physical details of the bearer, name, fingerprints and so on. And he doesn’t stop there.
With a few more keystrokes on his computer, Laurie changes the cloned card so that whereas the original card holder was not entitled to benefits, the cloned chip now reads ‘Entitled to benefits’.
As a chilling twist, he adds a message that would be visible to any police officer or security official who scanned the card: ‘I am a terrorist – shoot on sight.’
And all of this has been done in such a way as to fool the electronic readers intended to check the ID card’s authenticity. It is, quite simply, a terrifying achievement.
For the implications of what he has demonstrated could scarcely be more serious. Laurie’s fake card could be used to fool banks, commit fraud and maybe even illegally claim benefits or free NHS care.
More disturbing still, it could be used to cover the tracks of terrorists planning atrocities on British or foreign soil. By any sensible measure, his demonstration, as part of a special Mail investigation, should be the final nail in the coffin of the Government’s £5.4-billion ID scheme.
The card unveiled by the Home Secretary will not hit the streets until the end of this year, so Laurie has not had the chance to test the precise design.
But according to the UK Identity And Passport Service, it is essentially the same and potentially just as vulnerable as the Home Office’s ‘foreign nationals’ card we tested.
‘It is the same technology,’ a spokesman told me. ‘We’re not running two different systems. It is just the facade that is different.’
This does not augur well for the reputation of the supposedly fail-safe ID card. The Government says the scheme will be rolled out only on a ‘voluntary’ basis, beginning with a trial run in Manchester in November.
But if Labour wins the next General Election and continues with its current policy, the scheme will be expanded nationwide by 2012.
And, as many banks, businesses and public service providers start to require an ID card as part of routine identity checks, Labour hopes the public will feel it has little option other than to ‘opt in’ to carrying a card, if only to make life simpler.
Standard Nokias come equipped with chip-scanning software
But would you volunteer for one? The Government insists the technology is totally secure. This investigation shows that the very opposite is true.
Our inquiries began last December, when Adam Laurie and I approached the Home Office with our suspicions that ID cards for foreign nationals, issued for the first time just one month earlier, were potentially flawed.
Officials agreed to meet us to discuss our concerns – then cancelled at the last minute. So we decided to test the system for ourselves. It took us several months to persuade a foreign student to lend us his card to examine. But when we got one, even we were shocked by what we found.
Within 12 minutes of laying his hands on it, Laurie had made a clone. I’ll explain what he did next, but first some background.
Pingback: “unforgeable” ID cards hacked in minutes | timenauts
brilliant!
Pingback: Jonas & François Do It Again For Audio Bullys “Only Man” | The FontFeed